Skip to content
jproxx
← Back to the blog

Security Bulletin for 13 July 2026: Unauthenticated SQL Injection in the WordPress plugin Booking Package

13 July 2026 · jproxx Security

This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. July 13 was quiet for our audience: no Shopware notice, no PHP core release and no new vendor advisory first published that day. We pick out the single WordPress item whose National Vulnerability Database record was updated on July 13.

CVE-2026-15335 — Unauthenticated SQL Injection in Booking Package (high)

The Booking Package plugin contains a login-free SQL injection in all versions up to and including 1.7.20. The REST endpoint /wp-json/booking-package/v1/request is registered with permission_callback: __return_true and is therefore reachable by anyone; the value supplied through the email form field is placed into an existing database query without sufficient escaping. Making matters worse, WordPress’s wp_magic_quotes safeguard does not apply to $_POST values delivered through the REST interface, so single quotes reach the SQL processing intact. An attacker without an account could thereby append additional queries and read data from the database. Practical exploitability is, however, considerably constrained, because the value first passes through WordPress’s is_email() function — a malicious value must still be accepted as a valid email address. The National Vulnerability Database assigns a CVSS score of 7.5 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), classifies the flaw as high and assigns it to weakness class CWE-89 (SQL injection). No corrected version is named as of writing; all releases up to and including 1.7.20 are affected. Until a patch is available, operators should restrict or monitor the affected REST endpoint via a web application firewall or access rule, disable the plugin if it is not needed, and watch the vendor’s changelog so the fix can be applied without delay once released.

Sources: National Vulnerability Database — CVE-2026-15335 · CVE Record — CVE-2026-15335

Not sure whether you’re affected? Get in touch.


This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.